Crackers are armed with keylogging malware and passwords from hacked fan site.

Screen output from the freely available Hashcat password-cracking application. Hackers use it to convert cryptographic hashes siphoned from compromised websites into plaintext passwords.

Dan Goodin

A password-cracking campaign against players of the popular game Guild Wars 2, combined with account log-in problems, generated more than 8,500 support requests over the weekend, company officials said, adding that the account take-over attacks were in part aided by compromised credentials siphoned from an unknown fan site that was recently hacked.

Officials with Guild Wars 2 developer ArenaNet recently began the practice of proactively e-mailing customers when someone logs into an account from a new location. They're also advising users to choose long, random passwords that are unique to their accounts and to check e-mail only from trusted devices. From Friday to Sunday, officials said they received about 8,500 support requests related to hacked accounts or blocked accounts. By Monday, the company's support team helped 2,574 players with hacked accounts get back into the game. It also restored service to another 2,867 players with other blocking login issues.

"If you don't want your account hacked, don't use the same email address and password for Guild Wars 2 that you've used for another game or web site," officials wrote over the weekend. "Hackers have big lists of email addresses and passwords that they've harvested from malware and from security vulnerabilities in other games and web sites, and they're systematically testing Guild Wars 2 looking for matching accounts."

The compromised sites include an unidentified Guild Wars related fan site that ArenaNet officials said recently warned of a breach of its account database. "That's important, but just one of many apparent breaches of other games and web sites that hackers have been collecting email addresses and passwords from," they added.

The warnings come amid a wealth of anecdotal evidence pointing to an ongoing campaign, possibly by people located in China, to gain unauthorized access to Guild Wars 2 player accounts. On Thursday, an employee of Norway-based security firm Norman ASA recounted receiving an e-mail warning that someone used her details to attempt to log in to her Guild Wars 2 account just one day after it was created.

"It's been just over a week since the game launched, and I’ve now had 10 e-mails detailing attempts to access my account from China," the unnamed Norman employee wrote. "I live in Europe. Thankfully, creators ArenaNet make players confirm login locations via e-mail, so all these hacking attempts have failed."

Guild Wars 2 user forums are filled with threads like this one and this one, which tell similar tales. Online games such as World or Warcraft have long been hotbeds for account takeovers because the in-game assets such as gold and weapons can be sold online for real-world money. Accounts themselves are often sold wholesale.

"Uhm.. WTF!?" one Guild Wars 2 player wrote. "This is... frightening. I’ve barely owned the game for a day and already I’ve got chinese hackers after my stuff?"

ArenaNet officials should be applauded for being upfront about the attacks and providing effective advice for choosing passwords that aren't susceptible to cracking attacks. Chief among that advice is picking a long, randomly generated password that isn't used on any other site. That means, at a minimum, a password with eight characters—although 13 or even more is better—that's generated using a password management program such as PasswordSafe or LastPass. The password should use both numbers and capital and lower-case letters. If the password won't be entered with a limited keyboard, adding punctuation and other symbols is also a good idea.

The part about the need for passwords to be unique to a given site is crucial. The Norman employee said the e-mail address and password used for her compromised account was also used two years ago to leave a comment on a website that later got hacked. The anecdote exposes a fundamental truth about compromised passwords that Ars explains in much greater detail here, namely that the Internet never forgets. Once a password has been compromised anywhere, it likely will live on forever in thousands of password lists that hackers use to gain unauthorized access to accounts.

Promoted Comments

This is why online games should never launch without two factor authentication. There's no excuse now either, as Google allows any application to use Google Authenticator, and it supports mobile apps, SMS, and one-time codes. People also have to stop reusing password.

Which is definitely an annoyance. I filed a bug during the beta that while the web-interface where you manage your account allows you to use such a password, the game client will not accept it. That is still the case.

I can personally say that I have been the victim of hacking attempts. Several hundred attacks where the IP originated from several cities in China. However the GuildWars system informed me it was preventing authorization. I then changed my password and have been fine since.

Mnemonic Method. A user selects a phrase and extracts a letter of each word in the phrase (e.g., the first letter or second letter of each word), adding numbers or special characters or both.

Phrase Password Please be my best valentine! Pbmbval! This is the worst car I have ever driven in my LIFE! TitwcIhedimLIFE! I am definitely your #1 fan. Iady#1f.

Altered Passphrases. A user selects a phrase and alters it to form a derivation of that phrase. This method supports the creation of long, complex passwords. Passphrases can be easy to remember due to the structure of the password: it is usually easier for the human mind to comprehend and remember phrases with a coherent vocabulary than a string of random letters, numbers, and special characters.

Passphrase Alternate Passphrase to be or not to be 2.be.0r.nOt@to0.bEEDressed to the nines Dressed*2*the*9z

Combining and Altering Words. A user can combine two or three unrelated words and change some of the letters to numbers or special characters. Table 3-4 shows examples of combining words

GW2 is pretty secure, the password attacks are starting to fail now seeing as how they confirm email and disabled "forget password" feature.

Also it allows me to locally remember my password (though that's kinda insecure if I have a virus) which means I can generate a 32 character random password with special characters and friends, and just copy-paste that from my password store. Most secure game password I've ever had.

I realized something was going on when I got repeated emails about people trying to login from China. At that point I decided that I should probably retire that password. They seem to have stopped since I updated it. I'm glad that I get emails each time someone tries to log in from another location, but I think they could be a little more blatant. Perhaps bold text that says "Did you fly to China in the last few hours? If not, you should probably change all your passwords." I was shocked that they aren't bothering with proxies.

I am not at all regretting my transition to KeePass (with database synchronized to Google Drive) over the last month. We almost literally have an account for every website we regularly visit online, and we have one for every service provided to us.

It felt like throwing in the towel, and in a way it was, but I suppose I've got some peace of mind to show for it.

I am not at all regretting my transition to KeePass (with database synchronized to Google Drive) over the last month. We almost literally have an account for every website we regularly visit online, and we have one for every service provided to us.

That's exactly what I'm doing now. It's a bit of a pain in the ass to set up the first time, changing all your passwords to big random strings, but it has very minimal impact after that. Google Drive syncing makes it easy to use at work and home.

I am not at all regretting my transition to KeePass (with database synchronized to Google Drive) over the last month. We almost literally have an account for every website we regularly visit online, and we have one for every service provided to us.

That's exactly what I'm doing now. It's a bit of a pain in the ass to set up the first time, changing all your passwords to big random strings, but it has very minimal impact after that. Google Drive syncing makes it easy to use at work and home.

I'm essentially doing the same thing with KeePass myself except I have a synology NAS box at home with their (awesome) cloud service enabled. I have multiple, and by multiple I mean quite a lot, of devices/computers synced to it. I feel more in control not having to use a third party service for hosting files.

I heard it was from playing in public games. People AFK and sniff credentials from the P2P stream.

PSA: Don't play in public games!!!!

I heard this from a friend who heard it from a friend who had it happen to his friend.

/snark

The snark comes from the fact that these comments are pretty civil and understanding. When Blizzard had this issue, all the commenters were questioning Blizzard's security practices, instead of the more common malware or fan site compromise.

This is why online games should never launch without two factor authentication. There's no excuse now either, as Google allows any application to use Google Authenticator, and it supports mobile apps, SMS, and one-time codes. People also have to stop reusing password.

I got one email from them for a password reset request. This was just prior to them disabling the password reset feature. Of course I logged in and changed my password to a new unique password after that. So far so good, no other emails about access attempts from other locations (I only play it from my 1 home computer).

Which is definitely an annoyance. I filed a bug during the beta that while the web-interface where you manage your account allows you to use such a password, the game client will not accept it. That is still the case.

"That means, at a minimum, a password with eight characters—although 13 or even more is better—that's generated using a password management program such as PasswordSafe or LastPass."

I use lastpass, but LastPass until recently did not support non browser applications. They do have a beta available to premium subscribers. So I think will this would work for logging into your account on the website, it would not (correct me if I am wrong) when logging into the game client (unless you have the beta ofcourse)

I can personally say that I have been the victim of hacking attempts. Several hundred attacks where the IP originated from several cities in China. However the GuildWars system informed me it was preventing authorization. I then changed my password and have been fine since.

Mnemonic Method. A user selects a phrase and extracts a letter of each word in the phrase (e.g., the first letter or second letter of each word), adding numbers or special characters or both.

Phrase Password Please be my best valentine! Pbmbval! This is the worst car I have ever driven in my LIFE! TitwcIhedimLIFE! I am definitely your #1 fan. Iady#1f.

Altered Passphrases. A user selects a phrase and alters it to form a derivation of that phrase. This method supports the creation of long, complex passwords. Passphrases can be easy to remember due to the structure of the password: it is usually easier for the human mind to comprehend and remember phrases with a coherent vocabulary than a string of random letters, numbers, and special characters.

Passphrase Alternate Passphrase to be or not to be 2.be.0r.nOt@to0.bEEDressed to the nines Dressed*2*the*9z

Combining and Altering Words. A user can combine two or three unrelated words and change some of the letters to numbers or special characters. Table 3-4 shows examples of combining words

I haven't played Guild Wars. What makes the Guild Wars 2 accounts so worthwhile to hack? (Serious question.) Is it about stealing the account and selling it, do people have real-world money stored in them than can be extracted, or is it about ripping off their gear?

I haven't played Guild Wars. What makes the Guild Wars 2 accounts so worthwhile to hack? (Serious question.) Is it about stealing the account and selling it, do people have real-world money stored in them than can be extracted, or is it about ripping off their gear?

It's all based on the concept of taking characters, gear, and in game money that some people will pay real money for. Why I have no idea since GW2 isn't particularly hard to progress in anyway.

This is why online games should never launch without two factor authentication. There's no excuse now either, as Google allows any application to use Google Authenticator, and it supports mobile apps, SMS, and one-time codes. People also have to stop reusing password.

Look, MMO devs, FFXIV launched with an authenticator. If the game so bad they suspended charging for it and are remaking it can do it, you can to.

This is why online games should never launch without two factor authentication. There's no excuse now either, as Google allows any application to use Google Authenticator, and it supports mobile apps, SMS, and one-time codes. People also have to stop reusing password.

Look, MMO devs, FFXIV launched with an authenticator. If the game so bad they suspended charging for it and are remaking it can do it, you can to.

Do you actually think the morons who use universal passwords are going to care about an authenticator?

VideoGameTech wrote:

I haven't played Guild Wars. What makes the Guild Wars 2 accounts so worthwhile to hack? (Serious question.) Is it about stealing the account and selling it, do people have real-world money stored in them than can be extracted, or is it about ripping off their gear?

Now that the trading post is up? Nothing. If someone were to hop onto my account and steal my gear, about 5 minutes of playing and I can replace most of it. What are they going to do with my stuff? They can't even trade it! It's SOULBOUND! Vendor it for 30 copper?

It makes me seriously question the motives of the hackers.

Korpo wrote:

Following poor password procedures results in poor password security. Also, water is wet.

Why did this comment not get Editor's Pick? Because it forces people to take responsibility of their actions instead of placing blame on the company?

Do you actually think the morons who use universal passwords are going to care about an authenticator?

^This is a true statement.

Dyskresiac wrote:

VideoGameTech wrote:

I haven't played Guild Wars. What makes the Guild Wars 2 accounts so worthwhile to hack? (Serious question.) Is it about stealing the account and selling it, do people have real-world money stored in them than can be extracted, or is it about ripping off their gear?

Now that the trading post is up? Nothing. If someone were to hop onto my account and steal my gear, about 5 minutes of playing and I can replace most of it. What are they going to do with my stuff? They can't even trade it! It's SOULBOUND! Vendor it for 30 copper?

It makes me seriously question the motives of the hackers.

Like every other MMO, they hack accounts, steal all the account's gold to sell to other players., then use the account to either bot farm or spam adverts for their gold selling service until they're banned. Right now they're selling gold for less than than the gem to gold conversion. ($9 for 2 gold according to a spam I saw yesterday, when you can sell about $12.00 worth of gems for 2 gold on the trading post).

Selling accounts or stealing gear doesn't really come in to play - they mass hack, consolidate the gold, and sell it to unscrupulous players. Hacking is way faster than farming or botting for them.

Account sellers generally use legit, paid-for accounts (though they often use botting to level the accounts) because they have to gain a reputation before people will buy from them. Despite the fact that they're grossly violating terms of use and hacking/stealing from innocent gamers, most gold/account sellers are fairly honest with their paying customers; if a site develops a reputation as a good place to buy they get a lot more customers.

Like every other MMO, they hack accounts, steal all the account's gold to sell to other players., then use the account to either bot farm or spam adverts for their gold selling service until they're banned. Right now they're selling gold for less than than the gem to gold conversion. ($9 for 2 gold according to a spam I saw yesterday, when you can sell about $12.00 worth of gems for 2 gold on the trading post).

Selling accounts or stealing gear doesn't really come in to play - they mass hack, consolidate the gold, and sell it to unscrupulous players. Hacking is way faster than farming or botting for them.

Account sellers generally use legit, paid-for accounts (though they often use botting to level the accounts) because they have to gain a reputation before people will buy from them. Despite the fact that they're grossly violating terms of use and hacking/stealing from innocent gamers, most gold/account sellers are fairly honest with their paying customers; if a site develops a reputation as a good place to buy they get a lot more customers.

Ah, I see, thanks. That makes sense (in an unscrupulous sort of way .

AngelZero wrote:

Quote:

If it was forced, it'd have to be web-based.

No, it wouldn't. Hand out an authenticator with the game, and for digital buyers - ship one. This is in addition to iOS/Android apps.

That would eat into their profits, so it isn't likely, even if it only amounts to a few bucks each. For digital buyers, add shipping & overhead processing the request. Multiply by half a million copies and it really adds up. Add development & support costs and it goes higher.

Making it optional and selling at cost, or free for smartphones (like Blizzard) is best I expect to see without raising the cost of the game.

On a related note, I'm curious to see how long the game lasts and how good its server infrastructure will be, since there's no monthly fee. After sales taper off, how will they handle the ongoing costs?

If ArenaNet were serious about stopping the goldsellers, they would forbid the sending of gold through the mail system. That would knock out at least 90% of them - no point stealing accounts to sell off their stuff and use it to 'bot & spam if there's no way to transfer the gold. Then basic monitoring of the Trading Post for unusual sell orders would catch most of the rest. That would leave those selling items directly, but there are few desirable items that aren't bind-on-acquire...